Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain controller setup temporarily with two IP addresses

August 29, 2015, 10:18 am
$
0
0

I am upgrading our domain controllers from 2008 to 2012r2.  I have a new dc that is 2012r2 (vm) and I have transfered the roles and GC.  The last step is DHCP.  I am in that process but ran into issue with our VLAN not getting IP addresses from new DHCP server.  It will only get from old DHCP server.  I have done a complete backup and restore and everything transfered but still no IP's given to vlan.  I am sure the issue is the router is setup to point to DHCP helper address to the old DHCP server.  I don't have access to that router to make that change.  I am hoping I can demote the old dhcp server and place that IP address into the new DHCP server (temporarily) so that IP addresses are issued properly during the time I wipe and install Win2012r2 on that domain controller (physical server).  Once the physical server is loaded with Windows 2012r2 and promoted I will place DHCP back and then restore that IP address.

Does this sound OK.  Do you foresee any problems that might be created with this?

Search

LDAP Over SSL

August 29, 2015, 8:39 am
$
0
0

Hi guys, I hope you have a great weekend. I'm trying to set up LDAP Over SSL. I followed the guide below and installed perfectly. I chose default options like CN.

http://gregtechnobabble.blogspot.com/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html

However, when I try to test this using ldp.exe, port 636 and ssl ticked, it shows, "cannot open". I also see a log that says "Could not connect to active directory. Active directory services will rety when processing requires Active Directory Access". I can't seem to figure out what else I'm missing. 

ADFS Sizing

August 29, 2015, 9:03 am
$
0
0

Team

I am planning to build ADFS 3.0 & I would like to have High Availability for ADFS Servers , there are almost 17000 users who need to access the O365 service , Could you please help on this ?

sizing calculator 

can I use SQL for ADFS Database or WID?

Please give more details on this.

Thanks 

Default Server in nslookup not mysite.com

August 29, 2015, 8:13 am
$
0
0

When I enter in nslookup I get:

Default Server: UnKnown
Address: 192.168.1.1

Default Server should read : mysite.com

In DNS Manager under mysite.com in Forward Lookup Zones there are two entries: WIN-123456 and {same as parent folder} with the 192.168.1.1 address.

Why is Default Server in nslookup not mysite.com?

GC status unavailable in windows server 2008 R2

August 29, 2015, 8:30 am
$
0
0

Hi,

we are using windows server 2008 R2 domain controller.we have 3 domain controller.My primary domain controller GS status is unavailable.please refer the below image.

Thanks,

Gayan

Full fully qualifed domain address not resolving

August 29, 2015, 5:40 pm
$
0
0

Hello

I currently have a 2008 AD set up (1 Domain controller, a VM).  originally, i set up the Site in the AD as mysite.local and everything worked. i could type

ping computername.mysite.local

and windows would find the machine

then with out me actively messing in the AD configurations, it (my network) changed to where if i typed

ping computername.mysite.local

it no longer works but if i type

ping computer.mysite 

it works fine.  I currently have an application (ArcGIS WebAdaptor) that forces the domain name to .local and it cause the thing to not work.

I have root hints set up.  Does anyone know, based off the info i told, places to look for what might be causing the issue?

Even if you can tell me the name of what the ".local" is in my fully qualified domain name is that will help in my google efforts (everything i seem to find is for server 2003)

Thanks!

KdsSvc (Microsoft Key Distribution) won't start

August 29, 2015, 8:52 pm
$
0
0

 The Microsoft Key Distribution Service is not starting on my DC (kdssvc.dll) and when I look at the event log under Microsoft\Kdssvc, I see the events:

Event ID 4001 Group Key Distribution Service failed to start. Status 0x80070020.

Event ID 4007
Group Key Distribution Service cannot connect to the domain controller on local host. Status 0x80070020. Group Key Distribution Service cannot be started because of the error. Please contact administrators to resolve the issue.

The error 0x80070020 indicates a file lock of some type.

Does anyone know how I can fix this error? Troubleshooting on the net for this is a bit sparse and is confused with the KDC.

For clarification: This question is not about Kerberos, instead it's about the service account that handles Group Managed Service Accounts (gMSA), Bitlocker, and Windows Activation Services in a corporate environment.

Windows 2012 R2 DNS Server sporadic failures

August 26, 2015, 7:30 pm
$
0
0

Hi Guys;

Recently i promoted three Windows 2012 R2 servers as Domain controllers to my existing multi domain forrest as a first step of a total migration to 2012 R2.

I noticed that none of the new servers are able to resolve anything normally through forwarders, wether that's internal or external, conditional or regular. What puzzles me more, is that when i do an nslookup locally on these servers it always fails due to timeouts. If i try to nslookup the servers from clients, it resolves the local zones, but the external queries are hit and miss.

Despite that i have external forwarders configured properly (Google) and all zones are stored in the AD forrest partition with the proper reverse zones, the servers even fail to resolve their own IP address.

Any  insight on possible reasons?


Search

Replication Issue, Schema mistmatch

August 30, 2015, 9:36 am
$
0
0

I'm in the middle of doing a on premise Exchange migration from 2003 to 2013 using 2010 as an intermididate server.

There are three DC's.  One 2003 dc (sbs 2003) which was the primary dc before two other 2012r2 DC installed.  I had no issues promoting those dcs and initial sysvol replication took place.  The 2003 will be decommissioned.

What is happening is that group policy files are not consistent between the 2003 and 2012 DCs.  The logs on the 2012 DC show Event ID 1791.

Replication of application directory partition DC=abc,DC=local from source 257088c5-3493-4b40-b79b-00f06d35d3ed (abc-sbs.abc.local) has been aborted. Replication requires consistent schema but last attempt to synchronize the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 8418: The replication operation failed because of a schema mismatch between the servers involved..

I have verified that the schema id's are the same, also for Exchange.  Repadmin shows clean replication on all servers.  I'm waiting to install Exchange 2013 and update the schema.  I don't want to start this unless this problem is fixed. I'm at a loss to figure out what is going on.  I'm not sure if this is related to the removal of Exchange 2003 from the 2003 server the previous night.  I was also having another issue on my Exchange 2010 box where the Exchange services would not start.  I had to add the Exchange server computer object to the Domain Admins group to fix it.  Only mentioning this in case it's related, my feeling is some kind of permissions problem.

Domain controler // DS/DFS/System error

August 27, 2015, 4:43 am
$
0
0

Hi

suddenly one of our 2008R2Sp1 DC get a lot off error  ... all others are OK

System :

EventID 4  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server xxxxx

DFS replication :

Event 1204 The DFS Replication service failed to contact domain controller  to access configuration 

Directory Service

1865 The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network 

1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 

DNS server

4000 The DNS server was unable to open Active Directory.  

Given those huge errors, i wonder if it's not a solution to Depromote/remove from domain the repromote this server ..... 

what do you think about it ?

regards


Moving a Server out of One Domain to another - How to Test?

August 24, 2015, 4:24 am
$
0
0

Hi,

I'm required to create a test plan regarding moving a server out of one domain and putting it into another, any suggestions of what should be tested? How do you test the correct GPO's are being applied?

Apologies for the vague detail/question, I've never had to create a test plan before.

Many thanks in advance.

Establishing Global Active Directory ( GAD)

August 25, 2015, 9:00 pm
$
0
0

HI All,

  Our parent Company is proposing GAD and want to know bit more about the setup.

  We are separate forest in different country . So if we are resource domain and if they are the Account domain how our users getting impact by this design?

  We got 5 sites and each site got 200+ users. 

  What will happen to our AD servers? Domain? Mail? Groups and shares?

High level i know they want one AD to manage.

As

 

What are AD objects that have SID?

August 11, 2015, 10:23 pm
$
0
0

Dears,

I have a question: what are the AD objects that have SID (security identifier)?

Thanks

Regards

Domain migration with UPN suffix the same as target domain name

August 27, 2015, 12:16 am
$
0
0

Hello,

We are currently thinking of migrating domain (internal.local), this domain has UPN suffix (external.local). UPN suffix is necessary for Office 365.

We would like to migrate to new domain (external.local), which is the same as UPN suffix used.

Is it possible? What is the best way to do this?

Thanks in advance,

Pēteris

Powershell bug? PasswordNeverExpires shows "false" ou "NULL"

August 27, 2015, 10:07 am
$
0
0

i´m trying to create a script to send mail and monitor users with password never expired enabled. The idea here is to make sure that´s NO USERS will have the pass never expire option enbaled, making sure that all users are forced to change theis passwords from time to time, as GPO policy dictates.

but...

i got an disabled user to make some testing and, surpreise, some users are shown as "NULL" and others as "False" and others as "True"

WHy is that?

Get-ADUser -Filter 'SAMAccountName -eq "USER1"' -Properties SAMAccountName,PasswordNeverExpires | select-object SAMAccountName,PasswordNeverExpires | ft -A

SAMAccountName PasswordNeverExpires
-------------- --------------------
USER1          -->> NULL, nothing, blank, empty space!


PS C:\DADOS\SCRIPTS> Get-ADUser -Filter 'SAMAccountName -eq "USER2"' -Properties SAMAccountName,PasswordNeverExpires | select-object SAMAccountName,PasswordNeverExpires | ft -A

SAMAccountName PasswordNeverExpires
-------------- --------------------
USER2                 False

So, i´ve changed the approach and tried something else:

Get-ADObject -LDAPFilter "(objectclass=user)" -Properties samaccountname,accountExpires | ft samaccountname,accountExpires -A | Out-File -FilePath c:\temp\file.txt

i´ve filtered more, to exclude disabled, get only users and so on, but something weird: several non-zero (infinite) numbers have appeared in the listings:

half of the database have a "9223372036854770000" (non-zero)

but

several users (less than 30) have a different number:

129907692000000000
129962088000000000
129981096000000000
130017384000000000
130028616000000000
130058028000000000
130219596000000000
130407948000000000
130706892000000000
130792428000000000
130828716000000000
130961736000000000


I´ts weird, thinking of a true/false information, it´s expected to see only 2 results... frustrating...




Search

Raising forest and domain functional levels

August 30, 2015, 8:27 pm
$
0
0

I have a single forest / single domain at 2008 r2 functional levels.

All DC’s have been upgraded to 2012 r2.

We do however have some 2000 member servers in the domain.  Will these servers have issues after the forest and domain lift?

systemMayContain and MayContain

August 28, 2015, 3:02 am
$
0
0

Hi

I have a interforest migration scenario with a 15 year old domain where there are 100 custom attributes that are bound to a class.

Source domain is FFL and DFL 2003

In the source domain the class have all 100 attributes in systemMayContain 

Target domain FFL and DFL 2008R2

When I create the class (Auxiliary-Class) in target all attributes I add are placed under MayContain instead of systemMayContain in the source, when I have been reading about this it has to do with inheritence from the Auxiliary-Class

Will this cause any problems later on?


Frequent error on AD DS Windows Server 2008 R2

August 26, 2015, 10:28 am
$
0
0

I have an error that shows every day on my Active Directory Server

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/25/2015 8:43:54 PM
Event ID:      2887
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      NGFS1.guzmor.local
Description:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: 
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or 
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection 

This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. 

Summary information on the number of these binds received within the past 24 hours is below. 

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. 

Number of simple binds performed without SSL/TLS: 2 
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" />
    <EventID Qualifiers="32768">2887</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>16</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-26T03:43:54.003849000Z" />
    <EventRecordID>3613</EventRecordID>
    <Correlation />
    <Execution ProcessID="620" ThreadID="788" />
    <Channel>Directory Service</Channel>
    <Computer>NGFS1.guzmor.local</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>2</Data>
    <Data>0</Data>
  </EventData>
</Event>

Since this started to show, some of my computers show an error when trying to log in.

The trust relationship between this workstation and the primary domain failed.

And some mapped drives fail to connect.


Windows 2008 R2 AD DS BPA Issue

September 21, 2010, 9:24 am
$
0
0

Hi All,

We are in the middle of upgrading our DC's from Windows 2003 to 2008 R2. All seems well, apart from 3 (W2K8 R2) boxes. The other 13 (W2K8) boxes don't show the issue.

When I run the AD DS BPA against the 3 problem boxes, I get the following error:

Title:
The AD DS BPA should be able to collect data about Group Policy Results setting "Access this computer from the network" from the domain controller SERVERNAME

Severity:
Error

Date:
9/21/2010 1:19:30 PM

Category:
Configuration

Issue:
The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about Group Policy Results setting "Access this computer from the network" from the domain controller SERVERNAME.

Impact:
The AD DS BPA will not be able to validate configuration data about Group Policy Results setting "Access this computer from the network".

Resolution:
Troubleshoot the domain controller SERVERNAME to determine the root cause of the problem.

More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=142188

I've checked the Default Domain Controller Policy and can confirm the following is applied:

Default on domain controllers:
Administrators
Authenticated Users
Enterprise Domain Controllers
Everyone
Pre-Windows 2000 Compatible Access

Conversley I've checked deny access and they are not listed in there.

I've run RSOP on the servers and confirm the policy is being as expected.

Any ideas?

 

Thanks in advance,

Chaklie

 

 

I should add, dcdiag /v came back clean.

Chalkie

Global catalog says that user from DomainA belongs to Domain Users from DomainB

August 11, 2015, 11:45 am
$
0
0

I am trying to get detailed information about a user's group membership using directory services queries to the global catalog. I don't want to useGetAuthorizationGroups() because it's flaky.

There are 2 domains: DomainA and DomainB. The global catalog server is a domain controller for DomainB. Finally, there is a user (UserA) which is part of DomainA.

I find UserA in the global catalog and look at the tokenGroups property to get the SIDs of all groups to which UserA belongs.

To my great surprise, I find that DomainB\Domain Users is included in the list.Why is this being included, given that UserA is not part of DomainB?

Here is the code I'm running:

using (DirectoryEntry gc =newDirectoryEntry("GC:")){string userPrincipalName ="UserA@DomainA.local";DirectoryEntry searchRoot =null;
    gc.AuthenticationType=System.DirectoryServices.AuthenticationTypes.Secure;// There is only 1 child under "GC:".foreach(DirectoryEntry de in gc.Children){
        searchRoot = de;break;}

    using (searchRoot){SearchResult samResult;
        using (var samSearcher =newDirectorySearcher()){// Find the user.
            samSearcher.SearchRoot= searchRoot;
            samSearcher.Filter="(userPrincipalName="+ userPrincipalName +")";
            samSearcher.PropertiesToLoad.Add("distinguishedName");

            samResult = samSearcher.FindOne();}List<byte[]> tokenGroups;
        using (DirectoryEntry theUser = samResult.GetDirectoryEntry()){
            theUser.RefreshCache(newstring[]{"tokenGroups"});

            tokenGroups = theUser.Properties["tokenGroups"].Cast<byte[]>().ToList();IdentityReferenceCollection irc =newIdentityReferenceCollection(tokenGroups.Count);foreach(byte[] groupSidBytes in tokenGroups){
                irc.Add(newSecurityIdentifier(groupSidBytes,0));}List<string> groupNames =
                irc.Translate(typeof(NTAccount),true).Cast<NTAccount>().Select(a => a.Value.ToString()).ToList();return groupNames;}}}

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>